SimplicIT Blog

In response to Alliance Technology’s recent newsletter article in cloud computing, and the brief Twitter debate between Dave Weis at Internet Solver, IP Pathways, and Theron Conrey at LightEdge, I bring you the Meyer Technology Group opinion.

First we must differentiate between the enterprise cloud and the SMB cloud.

Enterprises are moving their servers to the cloud and buying cloud computing. In whole or in part, they are still managing and maintaining the services that are hosted.

The SMB cloud discussion is based on services in the cloud. Not only are these hosted services, they are managed services, maintained by independent companies.

With that distinction made, neither of these approaches are really the revolutionary paradigm shifts they are made out to be. Enterprises have long ran mini datacenters (computer rooms) within their own building; moving to a shared building isn’t a huge leap. The micro SMBs have used hosted POP3/IMAP email for fifteen years.

Most of the current discussion is based on the latter, although it overlapped in Alliance’s newsletter in the migration paragraph. The SMB and mid-markets are increasingly interested in hosted services to ease their IT burden and cash flow. There’s also a great deal of concerns about the cloud, both business management concerns and IT concerns (another distinction often worthy of making).

The most common hosted service is Exchange email. This is probably in large part due to the history of hosted email. (of course, management often fails to realize that Exchange is more than a pass-through email service and that their emails are actually stored in the cloud and *not* on their own machines, but I digress.)

But hosted Sharepoint and document management services as well as hosted line-of-business applications and databases are the meat of the cloud computing debate.

Why should I buy, license, install, configure, maintain, and repair a CRM server when I can pay salesforce.com $500/month?

The most common criticism is indeed data security. As Alliance pointed out, aggregate security requirements may overwhelm your own. And cloud services will readily boast their security measures and compliancy. But ultimately business owners are weary of these claims. While they are usually weary of their local IT provider or IT staff – simply because they have no way of verifying the claims themselves – the impersonal nature of most cloud providers only serves to further exasperate their fears. The same can be said of data retention, disaster recovery, and so on.

While I don’t believe tangibility is a concern — most businesses would like to free up extra closet space — I suspect lack of visibility is a very real concern. Downtime seems longer and more severe without frantic technicians running around the office. (Of course, this could be partially alleviated with good customer service. But one of the efficiencies of managed services is a central helpdesk – presumably one that doesn’t keep enough techs on duty to handle a flood of “it’s down” calls. (And a ticketing system will surely be insufficient for the client at this time of disaster and crisis!))

While these concerns are mostly perceived, there are some concerns which are very real.

Data migration and data for ransom! There is a national retail franchise that is currently in court with their previous SaaS provider. They felt that their contract was not being fulfilled by the software company due to significant feature delays. The software company argued scope creep. The retail company found an alternative company and gave notice of intent to dissolve the contract. The software company, at that point dependent upon the retail company, refused to provide the client database unless the contract was paid off. Last I heard – each franchisee was *printing* their store’s database from the SaaS web app and re-entering it manually into their new software. Surely this is a complex legal issue, but a worst case scenario for most businesses considering the cloud.

Shared data security. Even with a secure and compliant hosted service, a simple programming glitch may expose your data to your competitors. While a programming flaw in an application on your server might expose your data within your organization, a programming flaw in a hosted application could expose your data to other users of the application… often your competitors!

Verdict: Cloud is a buzzword. The technology is not ground breaking but is definitely going to be increasingly utilized. Expect hybrid cloud and on premises solutions. Completely hosted IT will be the future for some, but will never be for everybody.

Most readers are aware of last week’s McAfee fiasco. A definitions update was pushed out that flagged svchost as malicious, crashing every Windows XP SP3 machine on reboot.

IT admins spent countless hours – some throughout the night – recovering from McAfee’s negligence.

ars technica published a great article detailing some of the other false positive nightmares over the years and explaining why there is no end-all solution in sight.

In a continuation from my last post, this post is about the Iowa Gaming Commission hack. Today the Des Moines Register noted my opinion of the incident and a concurring opinion from Iowa State University Professor Qing Hu.

This post is about what the State did right, and about how this relates to local businesses and consumers.

Assuming I was correct in my last post, the hacker was actually a routine virus. That is, the server containing the employee database became infected with a virus. The virus was removed within 30 minutes, and this hoopla ensued. Some people might wonder why such a big deal was made if the information wasn’t at risk. The answer is, quite simply, because they’re required to by law. It’s a mandatory incident response. The stuff about the Chinese government wasn’t necessary, but I digress.

Consider this –

Your dentist, physician, insurance agent, accountant, and financial advisor all have private information about you — your name, date of birth, social security number, and probably a lot more. They are indeed regulated — HIPAA and GLBA for example — but when’s the last time you asked for an independent auditor’s report of compliance?

Because.. psst… they probably aren’t compliant OR secure! And they probably have data breaches far worse than this at least once a year. They just don’t report them. Not because they’re malicious. They just didn’t realize it was a breach… or that incident response was required.. or what it even is.

And that credit card that you’re afraid to use online? Most online merchants undergo PCI-DSS compliance auditing and are actually relatively safe. The tanning salon that charges you every month? Some of them keep a text file with a list of names, credit card numbers, and expiration dates on the same machine that the frontdesk staff download Limewire on.

Ignorance is not an excuse, but that is precisely what small businesses claim. Even when told that their contract with Visa requires PCI-DSS compliance, they’re unlikely to make any changes.

Taking all of that into account — I commend the State on not trying to sweep this under the rug and instead following their proper procedures. I only wish small businesses knew to do the same.

Disclaimer: This article is pure speculation based solely on what was read in the articles below. I am not connected to the incident and public details have been extremely vague.

The Des Moines Register today published an article where the state publicly linked the Chinese government to the recent Iowa Gaming Commission incident. I highly doubt Chinese government involvement. I suspect the State is just deflecting the blame.

In this case hacked generally means someone or something obtained unauthorized access.  It is important not to forget the something as automated bots are still a possibility.

The hacker gained entry to the state’s computer system on Jan. 26 while the state-owned Iowa Communications Network was performing routine maintenance on a firewall. The state firewall functionality was circumvented due to network routing changes.

I suspect routine maintenance in this case to mean we accidentally put the server into a DMZ for a couple hours or maybe just mistyping an IP. It happens. And it’s extremely unlikely that the changes were of a smaller scale and a hacker was made aware and pounced at that exact moment.

.. The hacker then accessed the commission’s database because a firewall on the commission’s computer system had not been properly patched by a private contractor.

The server was on a private LAN and was running insecure services. When that private IP was exposed to the internet, an automated vulnerability scanner picked up on that insecure service and exploited it. This is extremely common.

The amount of time it takes an automated vulnerability scanner to exploit an insecure service accidentally exposed to the internet is referred to as time to infection and may average as little as 4 minutes.

There is nothing to show that even if all the patches had been installed, they still wouldn’t have gotten in because they had already gotten through the state’s firewall.

This is the Gaming Commission deflecting blame from Ambient. Anyone on that private LAN — office employees — could have hacked into the server at any time. Ambient likely relies solely on automated patch management and was not doing any manual verifications. The GC apparently wasn’t either.

He said the computer server affected by the breach was shut down about 15 minutes after it was compromised.

Either the machine started displaying unusual popups, an IDS picked up outgoing bot activity, or Ambient noted unusual event log activity. But an expert hacker wouldn’t trip any of these alarms. Google was compromised by the Chinese government for nearly a month before they noticed. This lends strong credence to my suspicion of routine malware.

Someone was performing configuration changes on the firewall and mistyped an IP address… exposing the server. Ambient was slacking off on their patch management and the server was vulnerable to something like MS09-050. An automated bot on a hacked machine in China exploited the server and installed a replica of itself which started scanning. IDS picked up the traffic flood and the machine was shut off. The records weren’t stolen as no human hacker was ever actually on the machine.

The State and Ambient both made mistakes and had to place the blame somewhere. They didn’t want to say that they failed to verify their new firewall configuration before deploying it, or that they failed to verify that a third-party patch management service was doing it’s job. They certainly didn’t want to say that they got infected by the XP AntiVirus 2010 virus. And the automated bot had a Chinese IP. And the Chinese government was just in the press……

Check back tomorrow for an update: What the State did right and how this relates to local businesses and consumers.

Yesterday I spoke to the Jeff Eckhoff about the iPad. I complained that the iPhone/iPod Touch OS was very limited and suggested that the same machine running OS X would be much more attractive. I wasn’t alone. Bloggers complained and images like this hit #1 on the social news sites.

It’s suggested that Apple’s motivation for using the iPhone OS is that they felt a machine under $1000 running OS X would damage their value perception. While this is certainly true, I suspect Apple’s intent is further reaching.  The iPad is their attempt at pushing their limited platform into mainstream computing. Why would they want to do that?

• App Store profit. There is only one place to buy Apple-approved programs, and Apple owns it. They take a cut of every purchase.
• No competition. Don’t like Safari? Prefer Firefox? Too bad. Apple doesn’t have to approve competitors’ applications, at least not until they’re sued.
• No viruses. Apple won’t approve malicious software and a closed ecosystem won’t allow it to run without permission.
• It just works. The more limitations it has, the less it does but the easier it is to use.

The timing is perfect; there are a staggering number of Apps available for the iPhone/iPod Touch and malware is at an all time high.

But is it a step in the right direction? Slashdot doesn’t think so…

Every time Apple decides to close something off – by insisting on approving apps, by not giving you a [general purpose] USB port, etc., and people go for it anyway, because it’s slick and nice to use, we get used to a little bit less openness.

People don’t miss openness until it’s too late. Then it’s suddenly “What do you *mean* I can only use printers that are Apple certified?”. “I’ve bought all these e-books, and now the only place I can read them is on Apple hardware?” etc.

Either way, iPad success could signal a new era in computing: the limited platform.

Google accused China today of malicious attacks on Google’s servers intended to gather information about the Gmail accounts of human rights activists.

Further, Google noted that many other Gmail accounts belonging to human rights activists had been accessed by multiple third parties, suggesting that their passwords had been compromised. Google re-iterated anti-virus, patch management, and safe browsing.

Despite the hoopla, when it comes to Chinese hacking, this is only the tip of the iceberg. A more significantly but less widely published story involves intrusions into the Obama and McCain computer systems during the 2008 general election.

In November 2008 Newsweek published a behind-the-scenes article about the campaigns:

.. Technology experts detected what they initially thought was a computer virus… But by the next day, both the FBI and the Secret Service came to the campaigns with an ominous warning: “You have a problem way bigger than what you understand,” an agent told Obama’s team. “You have been compromised, and a serious amount of files have been loaded off your system.”

In 2009, WSJ published comments made by President Obama about the incident.

“What isn’t widely known is that during the general election hackers managed to penetrate our computer systems. Hackers gained access to emails and a range of campaign files, from policy position papers to travel plans.”

The White House and FBI suggested the intrusions were the work of a “foreign entity” likely seeking information on the two sides’ policy positions to use in negotiations with the next administration. And while Russian organized crime is often blamed for malicious cyberattacks, security industry experts widely assumed it was the Chinese government.

Multitaskers beware: On-screen notification pop-ups and visual alerts designed to increase productivity can actually end up costing you time in the long run, according to a new study.

“Email notifications and instant messages all cause a break in focus of the task in hand, even if they are attended to only very briefly,” said study author Helen Hodgetts of the University of Cardiff in the UK.

To update Outlook 2007, open the Tools menu and click Options. Push the Email Options button and then the Advanced Email Options button. In the dialog box that opens, the second paragraph contains the relevant options. In accordance with this study, our advice is to uncheck Display a New Mail Desktop Alert option. You may want to check Play a sound if it will not distract you or those around you.

Trusted Reviews has put the new Dell XFR rugged laptop through the grinder and it hasn’t fared as well as expected. Considering that these guys drove a car over a Panasonic Toughbook, they went pretty easy on the Dell, but it still couldn’t take the punishment. It looks like Dell still has a way to go to steal the ball from Panasonic when it comes to all terrain computing.

A Sophos blog today tested 10 unique incoming virus samples against Windows 7 UAC.

The results were dismaying, with UAC preventing infection of only a single virus. Two of the samples did not run on Windows 7 at all (one wasn’t Win32). The remaining 7 viruses reportedly infected Windows 7 with UAC enabled.

Sadly, Sophos Labs fails to provide detailed information about methodology. I suspect that most – if not all – of these infections target the local profile and would not be system wide.

Microsoft’s Big Easy promotion is back this November. Here’s a video explaining more:

<video removed>

(In a nutshell: Microsoft software purchases will include a rebate to pay for installation, configuration, etc.)